How to secure Connection Strings

Secure your Connection String

When hosting a website in a shared web hosting service, it's important to consider security concerns to protect your website from potential hacking attempts. One of the key areas of concern is the transmission of sensitive information, such as connection strings, over unsecured channels like HTTP.

Sending a connection string over HTTP exposes it to potential interception by malicious actors. Since HTTP communication is not encrypted, the connection string would be transmitted as plain text, making it vulnerable to eavesdropping and potential misuse.

To address this security risk, it is recommended to implement secure communication protocols such as HTTPS (HTTP over SSL/TLS) for transmitting sensitive information, including connection strings. HTTPS encrypts the communication between the web server and the client, ensuring that data remains confidential and protected from interception.

Encrypt or Decrypt Connection Strings in a web.config file

The Web.config file often contains sensitive information, including connection string parameters that are crucial for accessing the database. To mitigate potential security risks associated with storing sensitive information in the Web.config file, it is recommended to utilize the built-in protected configuration model functionality provided by ASP.NET.

By using this functionality, you can enhance the security of sensitive information stored in the connection string. One approach is to encrypt specific sections of the Web.config file that contain sensitive data. This encryption process ensures that the sensitive information is stored in an encrypted format, making it significantly more challenging for unauthorized individuals to access and interpret the data.

The protected configuration model allows you to encrypt and decrypt the encrypted sections of the Web.config file using encryption algorithms and cryptographic keys. By encrypting the sensitive sections, you add an additional layer of security to the connection string and other critical information.

How to encrypting the connection string in ASP.NET ?

To enhance the security of sensitive information stored in the connection string section of a web.config file, you can employ the aspnet_regiis.exe command line tool provided by ASP.NET. This tool allows you to encrypt the connection string section, ensuring that it is never stored as plain text, thereby mitigating potential risks associated with unauthorized access to sensitive data.

The aspnet_regiis.exe tool is located in the:

%systemroot%\Microsoft.NET\Framework\versionNumber folder.

To encrypt the connection string section, you can utilize the -pef option followed by the application name, in this case, "MyWebApp".

By running the appropriate command with the aspnet_regiis.exe tool, you can initiate the encryption process for the connection string section of the web.config file associated with the MyWebApp application. This encryption provides an additional layer of protection, rendering the sensitive information unreadable to unauthorized individuals.You can encrypt the connectionStrings section of the Web.config file by using aspnet_regiis.exe as follows :

aspnet_regiis.exe -pef "connectionStrings" "/MyWebApp"

The -pef option in the aspnet_regiis.exe command signifies that the application being referenced is structured as a File System website. The subsequent argument, "connectionStrings," specifies the specific configuration section that requires encryption. Lastly, the third argument denotes the physical path where the web.config file is situated, allowing the tool to locate and perform the encryption operation on the specified configuration section.

By incorporating the -pef option followed by the appropriate arguments, you can effectively encrypt the designated configuration section within the web.config file of the File System website. This encryption process enhances the security of sensitive information contained within the connectionStrings section, providing an additional layer of protection against unauthorized access and potential data breaches.

If you are using IIS based web application the command will be,

aspnet_regiis.exe -pe "connectionStrings" -app "/MyWebApp"

The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.

The -app option, passing it the name of your application.

After running the tool successfully .. you will receive a message "Encrypting configuration section...Succeeded!"

How to decrypt the connection string in ASP.NET ?

When you want to decrypt the encrypted Web.config file, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider.


By adopting secure communication practices, regularly updating your web application, and implementing robust security measures, you can help mitigate the risks associated with hosting a website in a shared web hosting service and enhance the overall security of your website and its data.